There's good news and bad on the cybersecurity skills availability front.

On the positive side, the current shortage of cybersecurity professionals in the U.S will likely resolve itself over the next several years as the result of recent efforts involving education, training and security awareness.

But for the time being, organizations will find it disturbingly difficult to find the skilled workers they need to defend themselves from internal and external threats, the RAND Corp. warned this week.

Not only will cybersecurity skills become increasingly costly, they will also become very hard to come by in the near future, said Martin Libicki, one of the authors of a 125-page report from RAND.

"There's plenty of evidence that there is a shortage" of cybersecurity professionals -- especially within government organizations, Libicki said. "The problem cannot be solved overnight. It will take a long time to get the right people into this profession."

The RAND report examines the nature and the source of the cybersecurity skills shortage in the U.S. and how the private sector and the government have responded to the crisis.

Demand for security professionals has skyrocketed since 2007 as the result of increased connectivity, raised awareness, more vulnerabilities and ever more hacker activity. The sudden and rapid rise in demand has led to substantial increases in compensation packages for security professionals in recent years, but that has done little to attract new cybersecurity professionals, RAND said.

"In the longer term, as long as demand does not continue to rise, higher compensation packages and increased efforts to train and educate people in cybersecurity should increase the number of workers in the field" -- putting downward pressure on salaries, it noted.

Some of the increased demand may also run counter to the underlying realities. Because of the heightened attention paid to cybersecurity, it's possible that some companies think they're at greater risk than they were a few years ago and assume they need more people.

As organizations come to better understand their true security needs, demand for cybersecurity workers may fall in the longer term, RAND said.

Here are four other takeaways from the report

Government organizations are hurting the most

The increased demand for cybersecurity professionals has pushed compensation packages to levels that government organizations have a hard time matching. This is especially true for their ability to attract or retain top-level security professionals, Libicki said.

Government compensation is often constrained by rigid pay scales and grade levels that restrict the ability of agencies to hire the skills they need in a supply-constrained labor market. The problem is less acute for lower to mid-tier IT security pros.

"However, once professionals can command more than $250,000 a year, the competitiveness of the U.S. government as an employer suffers correspondingly," the report noted. Though special rates are often available to senior level IT specialists, the long recruitment processes, vetting and security clearance delays can discourage candidates.

Companies can pay all they want and still not find enough people

In the short term, the supply side of the manpower equation will not be responsive to higher salaries because there simply aren't enough professionals to go around. Since training and educating a new generation of cybersecurity workers can take years, organizations that need security skills will be hard pressed to find them.

On a positive note, the higher compensation packages offered to security professionals could begin to attract would-be hires from other areas such as engineering.

Organizations should look at alternate approaches

Companies and government entities should consider adopting more secure system architectures and best practices to reduce their dependence on manpower. Organizations spend close to $70 billion on cybersecurity annually around the world, Libicki said. If even a 10th that amount was invested in making software more secure, there would be less of need for so many cybersecurity professionals.

"We have a model that basically says 'I accept the world of software as is and I am going to patch everything at a systemic level,'" he said. It is an approach that is basically unsustainable in the long term. A company that has 600 security professionals today might require 1,000 in a few years -- and still not be secure.

Importing talent may not be a good approach

A great deal of cybersecurity work is already internationalized, RAND said. For another, bringing in workers from other countries could depress wages and discourage U.S.-born professionals from entering the field. This could become a problem because foreign-born nationals will not have the security clearances required to work for many government organizations.

Brand Pages

Slideshows

ARN kicks off awards season in 2020 with Judges' Lunch

ARN kick-started its 2020 awards season with its annual Judges’ Lunch in Sydney on 13 March, welcoming current and new judges to the panel. The judges came together in recognition of their involvement in this year's ARN Innovation Awards and Women in ICT Awards programs, both of which honour outstanding achievements by individuals and organisations in the IT channel industry. Photos by Ashley Mar.​

In pictures: Nextgen Leadership Forum and Summer Party 2020

Nextgen Distribution held its second Leadership Forum in conjunction with its latest annual Summer Party event on 13 February in Sydney. Drawing upon the theme, 'leading through adversity with diversity,' the Leadership Forum featured keynotes and panellists including NSW Rural Fire Service Commissioner Shane Fitzsimmons; former Governor-General and Chief of the Defence Force Peter Cosgrove; Micro Focus A/NZ managing director Peter Fuller; and Vocus CEO Kevin Russell, among others, discussing leadership in adversity and diversity leadership. Photos by Kwa Nguyen.​

Driving value within the modern workplace

This roundtable, held in association with Vocus and hosted by GenNet, examined why modern collaboration platforms are essential in today’s workplace and discussed how one such platform, Microsoft Teams, can deliver the functionality to meet the needs of the modern enterprise.

Related Whitepapers

Copyright 2020 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.